image
According to a recent survey from Ivanti, nearly three-quarters (74 percent) of IT professionals reported that their organizations have fallen victim to a phishing attack – and 40 percent of those happened in the last month alone. Increasingly, mobile phishing is the culprit. What’s more, nearly half of these professionals cited a lack of the necessary IT talent as one of the core reasons for the increased risk of phishing attacks. So how can organizations overcome the sudden increase in security threats and regain the upper hand against bad actors with fewer resources than ever before? Increasingly, it looks like zero-trust will become the ideal approach for doing more with less, because ultimately, it’s the users and their cyber-hygiene that’s the first line in phishing defense. Let’s take a look at the latest phishing trends. Where Big Phish Lurk in the Everywhere Pond As organizations across all industries have shifted to distributed work environments, it’s no longer the task of security teams to manage access to data and systems from a specific location. Rather, employees are accessing work-related information on their personal devices from locations all over the globe, making it significantly more challenging for IT personnel to track and verify each and every connected device. Because of this shift, bad actors have evolved their phishing attacks and are now focusing their efforts on employees’ personal mobile devices – and as our survey results showed, are finding…

Source

image
A critical security bug affecting Cisco’s Unified Contact Center Enterprise (UCCE) portfolio could allow privilege-escalation and platform takeover. Cisco UCCE is an on-premises customer-service platform capable of supporting up to 24,000 customer-service agents using channels that include inbound voice, outbound voice, outbound interactive voice response (IVR) and digital channels. It also offers a feedback loop via post-call IVR, email and web intercept surveys; and various reporting options to gather information on agent performance to use in establishing metrics and informing business intelligence. It counts some heavy hitters among its users, including T-Mobile USA, according to the product website. The bug in question (CVE-2022-20658) is a particularly nasty one, with a critical rating of 9.6 out of 10 on the CVSS vulnerability-severity scale, and could allow authenticated, remote attackers to elevate their privileges to administrator, with the ability to create other administrator accounts. It specifically exists in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) and stems from the fact that the server relies on authentication mechanisms handled by the client side. That opens the door to an attacker modifying the client-side behavior to bypass protection mechanisms. The CCMP is a management tool that gives contact-center supervisors the ability to move,…

Source

image
Cyberattackers brought down around 70 Ukrainian government websites on Friday, defacing the site of the foreign ministry with a message to “Be afraid and expect the worst.” The huge attack hit on Friday, unfolding hours after Russia and Western allies wrapped up fruitless talks intended to forestall a threatened Russian invasion of Ukraine. The threatening message, which appeared in Ukrainian, Russian and Polish on the foreign ministry’s website, also alleged that Ukrainians’ personal data had been compromised: “Ukrainians! … All information about you has become public,” the message said. “Be afraid and expect worse. It’s your past, present and future.” BuzzFeed News’ Christopher Miller shared an image of the message on Twitter. It displayed a crossed-out Ukrainian flag, map and coat of arms. NEWS IN KYIV: Several Ukrainian government websites down due to a major a cyberattack. Below is the @MFA_Ukraine website now. It reads in part: "Ukrainians!…All information about you has become public, be afraid and expect worse." Sites of MOD and Education ministry also down. pic.twitter.com/3lbA06Q3Fl — Christopher Miller (@ChristopherJM) January 14, 2022 The message reportedly also referenced “historical land” and dropped the name of the Ukrainian insurgent army, or UPA. UPA is a Ukrainian nationalist paramilitary group that engaged in guerrilla warfare against the Soviet Union, the Polish Underground State, Communist Poland and Nazi Germany during World War II. The foreign…

Source

image
At the request of U.S. authorities. Russia’s Federal Security Service (FSB) has swooped in to “liquidate” the REvil ransomware gang, it said on Friday. According to local reports, the country’s main security agency raided 25 locations in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing assets worth more than $5.6 million (426 million rubles) in various forms, including $600,000; €500,000; various cryptocurrency amounts; and 20 luxury vehicles. The FSB said that a total of 14 alleged cybercriminals were also caught up in the raid and have been charged with “illegal circulation of means of payment.” The security service also said that it “neutralized” the gang’s infrastructure. The impetus for the attack was reportedly a formal request for action from U.S. authorities, “reporting about the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” according to an FSB media statement. It added, “As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation.” The move comes two weeks after a high-stakes phone call between Russian President Vladimir…

Source

image
Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however. On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday. However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000. Login/Signup Popup is a “simple and lightweight” plug-in aimed at streamlining a site’s registration, login and password reset processes, according to its description online. Side Cart Woocommerce – designed to work with the Woocommerce plugin for creating an e-commerce store – allows a site’s users to access items they’ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce – also to be used with Woocommerce – adds the functionality of tracking demand for out-of-stock items to an e-commerce site. As of now, all of the plug-ins have been updated and the flaw patched,…

Source

image
Microsoft has yanked the Windows Server updates it issued on Patch Tuesday after admins found that the updates had critical bugs that break three things: They trigger spontaneous boot loops on Windows servers that act as domain controllers, break Hyper-V and render ReFS volume systems unavailable. The shattering of Windows was first reported by BornCity on Tuesday, as in, on the same day that Microsoft released a mega-dump of 97 security updates in its January 2022 Patch Tuesday update. This month’s batch included the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update and the Windows Server 2022 KB5009555 update, all of which are apparently buggy. “Administrators of Windows Domain Controllers should be careful about installing the January 2022 security updates,” reported BornCity, which is a blog about information technology run by German freelance writer and physics engineer Günter Born. “I have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards,” Born wrote. “Lsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.” Domain controllers are servers that handle security authentication requests within a Windows domain. Microsoft’s Hyper-V, the other chunk of Windows being broken by the Windows Server updates, is a native hypervisor that can create virtual machines on…

Source

image
Vast amounts of cash sloshing around in cryptocurrency markets are proving irresistible for cybercriminals and scammers of all kinds. From basic financial pump-and-dump schemes to straight-up nation-state cybertheft, nascent crypto markets, and their investors – often with dubious understanding of how they really work – have become prime targets for crypto scammers. North Korean-backed cybercrime groups, including APT 38/Lazarus Group, have turned their talents and resources exclusively toward ripping off crypto markets, according to a new report from Chainalysis. In 2021, the number of North Korean-sponsored crypto attacks grew from four to seven and netted the crooks $400 million, which was a 40 percent increase over 2020, Chainalysis found. But before these groups can cash out, they are laundered through software “mixers,” the report added. “DPRK is a systematic money launderer, and their use of multiple mixers – software tools that pool and scramble cryptocurrencies from thousands of addresses – is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat,” the researchers explained. Stolen crypto funds are also run through a DeFi platform, so it can be traded for Ethereum or Bitcoin, which are more easily converted to cash, the team at Chainalysis added. In total, the North Korean regime controls $170 million in crypto balances, garnered from 49 individual hacks conducted between 2017 and 2021. Simpler Scams for Crypto…

Source

image
U.S. Cyber Command has confirmed that MuddyWater – an advanced persistent threat (APT) cyberespionage actor aka Mercury, Static Kitten, TEMP.Zagros or Seedworm that’s historically targeted government victims in the Middle East – is an Iranian intelligence outfit. The link has been suspected, and now it’s government-stamped. On Wednesday, USCYBERCOM not only confirmed the tie; it also disclosed the plethora of open-source tools and strategies MuddyWater uses to break into target systems and released malware samples. “MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” according to USCYBERCOM’S National Mission Force (CNMF). “These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.” USCYBERCOM has uploaded multiple MuddyWater-attributed malware samples to VirusTotal. Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: https://t.co/xTI6xuQOg3. Attributed through @NCIJTF @FBI — USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) January 12, 2022 USCYBERCOM’s press release described MuddyWater as being “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” The Congressional Research Service describes MOIS as conducting “domestic surveillance to identify…

Source

image
Once prolific spreaders of REvil ransomware, the GootLoader malware gang has pivoted to actively targeting employees of law and accounting firms with malicious downloads. The Threat Response Unit from eSentire issued an alert about having over the past three weeks observed GootLoader attacks on three law firms and one accounting firm. WordPress vulnerabilities let the attackers easily hijack sites offering sample business agreements for professionals, the eSentire report explained. The researchers were able to identify more than 100,000 pages with malicious business agreement links set up by GootLoader, with one site having more than 150 pages of content generated by the threat actors. The law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” Model IP Agreement” and “Olympus Plea Agreement,” according to the report. “When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” Keegan Keplinger, research and reporting lead for TRU, said. “As a result, unless your organization has security protections in place, your organization is likely infected with GootLoader, which could lead to a ransomware deployment, and then it is game over.” GootLoader Games Google SEO The group has also gamed Google’s Search Engine Optimization algorithm to get their malicious sites and downloads to the…

Source

image
Attackers are leveraging Adobe Creative Cloud to target Office 365 users with malicious links that appear to be coming legitimately from Cloud users but instead direct victims to a link that steals their credentials, researchers have discovered. Researchers from Avanan, a Check Point company, first discovered the ongoing campaign in December when they stopped one of the attacks, according to a report published Thursday. Adobe Creative Cloud is a popular suite of apps for file-sharing and creating and includes widely used apps such as Photoshop and Acrobat. Though attackers are primarily targeting Office 365 users – a favorite target among threat actors – researchers have seen them hit Gmail inboxes as well, Jeremy Fuchs, cybersecurity research analyst at Avanan, told Threatpost. The attack vector works like this: An attacker creates a free account in Adobe Cloud, then creates an image or a PDF file that has a link embedded within it, which they share by email to an Office 365 or Gmail user. “Think of it like when you create a Docusign,” Fuchs explained to Threatpost. “You create the document and then send it to the intended recipient. On the receiving end, they get an email notification, where they click to be directed to the link.” Though the links inside the documents sent to users are malicious, they themselves are not hosted within Adobe Cloud but, rather, from another domain controlled by attackers, he added. How the Campaign Works Researchers shared screenshots of the…

Source